diff --git a/app/Extensions/WebauthnTwoFAuthUserProvider.php b/app/Extensions/WebauthnTwoFAuthUserProvider.php
new file mode 100644
index 00000000..c86741de
--- /dev/null
+++ b/app/Extensions/WebauthnTwoFAuthUserProvider.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace App\Extensions;
+
+use Illuminate\Auth\EloquentUserProvider;
+use App\Models\WebAuthnAuthenticatable;
+use Laragear\WebAuthn\Auth\WebAuthnUserProvider;
+
+class WebauthnTwoFAuthUserProvider extends WebAuthnUserProvider
+{
+    /**
+     * Validate a user against the given credentials.
+     *
+     * @param  \Illuminate\Contracts\Auth\Authenticatable|\App\Models\WebAuthnAuthenticatable|\App\Models\User  $user
+     * @param  array  $credentials
+     *
+     * @return bool
+     */
+    public function validateCredentials($user, array $credentials): bool
+    {
+        if ($user instanceof WebAuthnAuthenticatable && $this->isSignedChallenge($credentials)) {
+            return $this->validateWebAuthn();
+        }
+
+        // If the user disabled the fallback is enabled, we will validate the credential password.
+        return $user->preferences['useWebauthnOnly'] == false && EloquentUserProvider::validateCredentials($user, $credentials);
+    }
+}
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index 7a0513df..c0ecb334 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -88,19 +88,17 @@ class AuthServiceProvider extends ServiceProvider
             return new ReverseProxyGuard(Auth::createUserProvider($config['provider']));
         });
 
-        // Previously we were using a custom user provider derived from the Larapass user provider
-        // in order to honor the "useWebauthnOnly" user option.
-        // Since Laragear\WebAuthn now replaces DarkGhostHunter\Larapass, the new approach is
-        // simplier: We overload the 'eloquent-webauthn' registration from Laragear\WebAuthn\WebAuthnServiceProvider
-        // with a custom closure that uses the "useWebauthnOnly" user option
+        // We use a custom user provider derivated from the Laragear\WebAuthn one to honor the "useWebauthnOnly" user option.
+        // As this option is now available in the $user->preferences array it is no more possible to overload the $fallback
+        // value here because $user is not available at registration.
         Auth::provider(
             'eloquent-webauthn',
             static function (\Illuminate\Contracts\Foundation\Application $app, array $config) : \Laragear\WebAuthn\Auth\WebAuthnUserProvider {
-                return new \Laragear\WebAuthn\Auth\WebAuthnUserProvider(
+                return new \App\Extensions\WebauthnTwoFAuthUserProvider(
                     $app->make('hash'),
                     $config['model'],
                     $app->make(\Laragear\WebAuthn\Assertion\Validator\AssertionValidator::class),
-                    Settings::get('useWebauthnOnly') ? false : true
+                    true
                 );
             }
         );